Splunk Search

How do i use eval to calculate two fields?

FYPTEST
Engager

What I am trying to accomplish with the command is to find the events with the EventCode "4624" and Logon_Type "10" or "2", and to name them as "RDP", however i get the following error:

Here is the query below:

index=wineventlogsecurity source=xmlWinEventLog:Security | stats count(eval(EventCode="4624") AND (Logon_Type="10")) AS RDP


Then I get this error: 


Error in 'stats' command: The eval expression for dynamic field 'eval(EventCode="4624") AND (Logon_Type="10")' is invalid. Error='The operator at ') AND (Logon_Type="10"' is invalid.'.

Thanks in advance for any help! and apologies for the newbie questions as I am rather new to Splunk.

Labels (5)
0 Karma

manjunathmeti
Champion

hi @FYPTEST ,
AND and OR operators should be in the eval function. Check this,

index=wineventlogsecurity source=xmlWinEventLog:Security 
| stats count(eval(EventCode="4624" AND (Logon_Type="10" OR Logon_Type="2"))) AS RDP

 

If this reply helps you, an upvote/like would be appreciated.

ITWhisperer
SplunkTrust
SplunkTrust
index=wineventlogsecurity source=xmlWinEventLog:Security EventCode="4624" (Logon_Type="10" OR Logon_Type="2") | stats count AS RDP
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...